Update

2026-02-19 10:07:43 +00:00
parent 007438e372
commit 6e637ecf77
1763 changed files with 60820 additions and 279516 deletions
--- a/vendor/tailscale.com/net/tlsdial/blockblame/blockblame.go
+++ b/vendor/tailscale.com/net/tlsdial/blockblame/blockblame.go
@@ -9,13 +9,19 @@ package blockblame
 import (
 	"crypto/x509"
 	"strings"
+	"sync"
+
+	"tailscale.com/feature/buildfeatures"
 )

 // VerifyCertificate checks if the given certificate c is issued by a firewall manufacturer
 // that is known to block Tailscale connections. It returns true and the Manufacturer of
 // the equipment if it is, or false and nil if it is not.
 func VerifyCertificate(c *x509.Certificate) (m *Manufacturer, ok bool) {
-	for _, m := range Manufacturers {
+	if !buildfeatures.HasDebug {
+		return nil, false
+	}
+	for _, m := range manufacturers() {
 		if m.match != nil && m.match(c) {
 			return m, true
 		}
@@ -33,46 +39,56 @@ type Manufacturer struct {
 	match matchFunc
 }

-var Manufacturers = []*Manufacturer{
-	{
-		Name:  "Aruba Networks",
-		match: issuerContains("Aruba"),
-	},
-	{
-		Name:  "Cisco",
-		match: issuerContains("Cisco"),
-	},
-	{
-		Name: "Fortinet",
-		match: matchAny(
-			issuerContains("Fortinet"),
-			certEmail("support@fortinet.com"),
-		),
-	},
-	{
-		Name:  "Huawei",
-		match: certEmail("mobile@huawei.com"),
-	},
-	{
-		Name: "Palo Alto Networks",
-		match: matchAny(
-			issuerContains("Palo Alto Networks"),
-			issuerContains("PAN-FW"),
-		),
-	},
-	{
-		Name:  "Sophos",
-		match: issuerContains("Sophos"),
-	},
-	{
-		Name: "Ubiquiti",
-		match: matchAny(
-			issuerContains("UniFi"),
-			issuerContains("Ubiquiti"),
-		),
-	},
+func manufacturers() []*Manufacturer {
+	manufacturersOnce.Do(func() {
+		manufacturersList = []*Manufacturer{
+			{
+				Name:  "Aruba Networks",
+				match: issuerContains("Aruba"),
+			},
+			{
+				Name:  "Cisco",
+				match: issuerContains("Cisco"),
+			},
+			{
+				Name: "Fortinet",
+				match: matchAny(
+					issuerContains("Fortinet"),
+					certEmail("support@fortinet.com"),
+				),
+			},
+			{
+				Name:  "Huawei",
+				match: certEmail("mobile@huawei.com"),
+			},
+			{
+				Name: "Palo Alto Networks",
+				match: matchAny(
+					issuerContains("Palo Alto Networks"),
+					issuerContains("PAN-FW"),
+				),
+			},
+			{
+				Name:  "Sophos",
+				match: issuerContains("Sophos"),
+			},
+			{
+				Name: "Ubiquiti",
+				match: matchAny(
+					issuerContains("UniFi"),
+					issuerContains("Ubiquiti"),
+				),
+			},
+		}
+	})
+	return manufacturersList
 }

+var (
+	manufacturersOnce sync.Once
+	manufacturersList []*Manufacturer
+)
+
 type matchFunc func(*x509.Certificate) bool

 func issuerContains(s string) matchFunc {
--- a/vendor/tailscale.com/net/tlsdial/tlsdial.go
+++ b/vendor/tailscale.com/net/tlsdial/tlsdial.go
@@ -21,11 +21,14 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"

+	"tailscale.com/derp/derpconst"
 	"tailscale.com/envknob"
+	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
 	"tailscale.com/net/bakedroots"
@@ -34,12 +37,6 @@ import (

 var counterFallbackOK int32 // atomic

-// If SSLKEYLOGFILE is set, it's a file to which we write our TLS private keys
-// in a way that WireShark can read.
-//
-// See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
-var sslKeyLogFile = os.Getenv("SSLKEYLOGFILE")
-
 var debug = envknob.RegisterBool("TS_DEBUG_TLS_DIAL")

 // tlsdialWarningPrinted tracks whether we've printed a warning about a given
@@ -57,26 +54,40 @@ var mitmBlockWarnable = health.Register(&health.Warnable{
 	ImpactsConnectivity: true,
 })

-// Config returns a tls.Config for connecting to a server.
+// Config returns a tls.Config for connecting to a server that
+// uses system roots for validation but, if those fail, also tries
+// the baked-in LetsEncrypt roots as a fallback validation method.
+//
 // If base is non-nil, it's cloned as the base config before
 // being configured and returned.
 // If ht is non-nil, it's used to report health errors.
-func Config(host string, ht *health.Tracker, base *tls.Config) *tls.Config {
+func Config(ht *health.Tracker, base *tls.Config) *tls.Config {
 	var conf *tls.Config
 	if base == nil {
 		conf = new(tls.Config)
 	} else {
 		conf = base.Clone()
 	}
-	conf.ServerName = host

-	if n := sslKeyLogFile; n != "" {
-		f, err := os.OpenFile(n, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
-		if err != nil {
-			log.Fatal(err)
+	// Note: we do NOT set conf.ServerName here (as we accidentally did
+	// previously), as this path is also used when dialing an HTTPS proxy server
+	// (through which we'll send a CONNECT request to get a TCP connection to do
+	// the real TCP connection) because host is the ultimate hostname, but this
+	// tls.Config is used for both the proxy and the ultimate target.
+
+	if buildfeatures.HasDebug {
+		// If SSLKEYLOGFILE is set, it's a file to which we write our TLS private keys
+		// in a way that WireShark can read.
+		//
+		// See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
+		if n := os.Getenv("SSLKEYLOGFILE"); n != "" {
+			f, err := os.OpenFile(n, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
+			if err != nil {
+				log.Fatal(err)
+			}
+			log.Printf("WARNING: writing to SSLKEYLOGFILE %v", n)
+			conf.KeyLogWriter = f
 		}
-		log.Printf("WARNING: writing to SSLKEYLOGFILE %v", n)
-		conf.KeyLogWriter = f
 	}

 	if conf.InsecureSkipVerify {
@@ -91,7 +102,9 @@ func Config(host string, ht *health.Tracker, base *tls.Config) *tls.Config {
 	// (with the baked-in fallback root) in the VerifyConnection hook.
 	conf.InsecureSkipVerify = true
 	conf.VerifyConnection = func(cs tls.ConnectionState) (retErr error) {
-		if host == "log.tailscale.com" && hostinfo.IsNATLabGuestVM() {
+		dialedHost := cs.ServerName
+
+		if dialedHost == "log.tailscale.com" && hostinfo.IsNATLabGuestVM() {
 			// Allow log.tailscale.com TLS MITM for integration tests when
 			// the client's running within a NATLab VM.
 			return nil
@@ -114,7 +127,7 @@ func Config(host string, ht *health.Tracker, base *tls.Config) *tls.Config {
 					// Show a dedicated warning.
 					m, ok := blockblame.VerifyCertificate(cert)
 					if ok {
-						log.Printf("tlsdial: server cert for %q looks like %q equipment (could be blocking Tailscale)", host, m.Name)
+						log.Printf("tlsdial: server cert seen while dialing %q looks like %q equipment (could be blocking Tailscale)", dialedHost, m.Name)
 						ht.SetUnhealthy(mitmBlockWarnable, health.Args{"manufacturer": m.Name})
 					} else {
 						ht.SetHealthy(mitmBlockWarnable)
@@ -133,7 +146,7 @@ func Config(host string, ht *health.Tracker, base *tls.Config) *tls.Config {
 					ht.SetTLSConnectionError(cs.ServerName, nil)
 					if selfSignedIssuer != "" {
 						// Log the self-signed issuer, but don't treat it as an error.
-						log.Printf("tlsdial: warning: server cert for %q passed x509 validation but is self-signed by %q", host, selfSignedIssuer)
+						log.Printf("tlsdial: warning: server cert for %q passed x509 validation but is self-signed by %q", dialedHost, selfSignedIssuer)
 					}
 				}
 			}()
@@ -142,7 +155,7 @@ func Config(host string, ht *health.Tracker, base *tls.Config) *tls.Config {
 		// First try doing x509 verification with the system's
 		// root CA pool.
 		opts := x509.VerifyOptions{
-			DNSName:       cs.ServerName,
+			DNSName:       dialedHost,
 			Intermediates: x509.NewCertPool(),
 		}
 		for _, cert := range cs.PeerCertificates[1:] {
@@ -150,22 +163,22 @@ func Config(host string, ht *health.Tracker, base *tls.Config) *tls.Config {
 		}
 		_, errSys := cs.PeerCertificates[0].Verify(opts)
 		if debug() {
-			log.Printf("tlsdial(sys %q): %v", host, errSys)
+			log.Printf("tlsdial(sys %q): %v", dialedHost, errSys)
+		}
+		if !buildfeatures.HasBakedRoots || (errSys == nil && !debug()) {
+			return errSys
 		}

-		// Always verify with our baked-in Let's Encrypt certificate,
-		// so we can log an informational message. This is useful for
-		// detecting SSL MiTM.
+		// If we have baked-in LetsEncrypt roots and we either failed above, or
+		// debug logging is enabled, also verify with LetsEncrypt.
 		opts.Roots = bakedroots.Get()
 		_, bakedErr := cs.PeerCertificates[0].Verify(opts)
 		if debug() {
-			log.Printf("tlsdial(bake %q): %v", host, bakedErr)
+			log.Printf("tlsdial(bake %q): %v", dialedHost, bakedErr)
 		} else if bakedErr != nil {
-			if _, loaded := tlsdialWarningPrinted.LoadOrStore(host, true); !loaded {
-				if errSys == nil {
-					log.Printf("tlsdial: warning: server cert for %q is not a Let's Encrypt cert", host)
-				} else {
-					log.Printf("tlsdial: error: server cert for %q failed to verify and is not a Let's Encrypt cert", host)
+			if _, loaded := tlsdialWarningPrinted.LoadOrStore(dialedHost, true); !loaded {
+				if errSys != nil {
+					log.Printf("tlsdial: error: server cert for %q failed both system roots & Let's Encrypt root validation", dialedHost)
 				}
 			}
 		}
@@ -200,9 +213,6 @@ func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 		c.ServerName = certDNSName
 		return
 	}
-	if c.VerifyPeerCertificate != nil {
-		panic("refusing to override tls.Config.VerifyPeerCertificate")
-	}
 	// Set InsecureSkipVerify to prevent crypto/tls from doing its
 	// own cert verification, but do the same work that it'd do
 	// (but using certDNSName) in the VerifyPeerCertificate hook.
@@ -232,8 +242,8 @@ func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 		if debug() {
 			log.Printf("tlsdial(sys %q/%q): %v", c.ServerName, certDNSName, errSys)
 		}
-		if errSys == nil {
-			return nil
+		if !buildfeatures.HasBakedRoots || errSys == nil {
+			return errSys
 		}
 		opts.Roots = bakedroots.Get()
 		_, err := certs[0].Verify(opts)
@@ -247,41 +257,50 @@ func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 	}
 }

-// SetConfigExpectedCertHash configures c's VerifyPeerCertificate function
-// to require that exactly 1 cert is presented, and that the hex of its SHA256 hash
-// is equal to wantFullCertSHA256Hex and that it's a valid cert for c.ServerName.
+// SetConfigExpectedCertHash configures c's VerifyPeerCertificate function to
+// require that exactly 1 cert is presented (not counting any present MetaCert),
+// and that the hex of its SHA256 hash is equal to wantFullCertSHA256Hex and
+// that it's a valid cert for c.ServerName.
 func SetConfigExpectedCertHash(c *tls.Config, wantFullCertSHA256Hex string) {
 	if c.VerifyPeerCertificate != nil {
 		panic("refusing to override tls.Config.VerifyPeerCertificate")
 	}
+
 	// Set InsecureSkipVerify to prevent crypto/tls from doing its
 	// own cert verification, but do the same work that it'd do
-	// (but using certDNSName) in the VerifyPeerCertificate hook.
+	// (but using certDNSName) in the VerifyConnection hook.
 	c.InsecureSkipVerify = true
-	c.VerifyConnection = nil
-	c.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
-		if len(rawCerts) == 0 {
-			return errors.New("no certs presented")
+
+	c.VerifyConnection = func(cs tls.ConnectionState) error {
+		dialedHost := cs.ServerName
+		var sawGoodCert bool
+
+		for _, cert := range cs.PeerCertificates {
+			if strings.HasPrefix(cert.Subject.CommonName, derpconst.MetaCertCommonNamePrefix) {
+				continue
+			}
+			if sawGoodCert {
+				return errors.New("unexpected multiple certs presented")
+			}
+			if fmt.Sprintf("%02x", sha256.Sum256(cert.Raw)) != wantFullCertSHA256Hex {
+				return fmt.Errorf("cert hash does not match expected cert hash")
+			}
+			if dialedHost != "" { // it's empty when dialing a derper by IP with no hostname
+				if err := cert.VerifyHostname(dialedHost); err != nil {
+					return fmt.Errorf("cert does not match server name %q: %w", dialedHost, err)
+				}
+			}
+			now := time.Now()
+			if now.After(cert.NotAfter) {
+				return fmt.Errorf("cert expired %v", cert.NotAfter)
+			}
+			if now.Before(cert.NotBefore) {
+				return fmt.Errorf("cert not yet valid until %v; is your clock correct?", cert.NotBefore)
+			}
+			sawGoodCert = true
 		}
-		if len(rawCerts) > 1 {
-			return errors.New("unexpected multiple certs presented")
-		}
-		if fmt.Sprintf("%02x", sha256.Sum256(rawCerts[0])) != wantFullCertSHA256Hex {
-			return fmt.Errorf("cert hash does not match expected cert hash")
-		}
-		cert, err := x509.ParseCertificate(rawCerts[0])
-		if err != nil {
-			return fmt.Errorf("ParseCertificate: %w", err)
-		}
-		if err := cert.VerifyHostname(c.ServerName); err != nil {
-			return fmt.Errorf("cert does not match server name %q: %w", c.ServerName, err)
-		}
-		now := time.Now()
-		if now.After(cert.NotAfter) {
-			return fmt.Errorf("cert expired %v", cert.NotAfter)
-		}
-		if now.Before(cert.NotBefore) {
-			return fmt.Errorf("cert not yet valid until %v; is your clock correct?", cert.NotBefore)
+		if !sawGoodCert {
+			return errors.New("expected cert not presented")
 		}
 		return nil
 	}
@@ -292,12 +311,8 @@ func SetConfigExpectedCertHash(c *tls.Config, wantFullCertSHA256Hex string) {
 func NewTransport() *http.Transport {
 	return &http.Transport{
 		DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			host, _, err := net.SplitHostPort(addr)
-			if err != nil {
-				return nil, err
-			}
 			var d tls.Dialer
-			d.Config = Config(host, nil, nil)
+			d.Config = Config(nil, nil)
 			return d.DialContext(ctx, network, addr)
 		},
 	}